Rogers’ “Cybersecurity” Bill Is Broad Enough to Use Against WikiLeaks and The Pirate Bay

Congress is doing it again: they’re proposing overbroad regulations that could have dire consequences for our Internet ecology. The Cyber Intelligence Sharing and Protection Act of 2011 (H.R. 3523), introduced by Rep. Mike Rogers and Rep. Dutch Ruppersberger, allows companies or the government1 free rein to bypass existing laws in order to monitor communications, filter content, or potentially even shut down access to online services for “cybersecurity purposes.” Companies are encouraged to share data with the government and with one another, and the government can share data in return. The idea is to facilitate detection of and defense against a serious cyber threat, but the definitions in the bill go well beyond that. The language is so broad it could be used as a blunt instrument to attack websites like The Pirate Bay or WikiLeaks. Join EFF in calling on Congress to stop the Rogers’ cybersecurity bill.

Under the proposed legislation, a company that protects itself or other companies against “cybersecurity threats” can “use cybersecurity systems to identify and obtain cyber threat information to protect the rights and property” of the company under threat. But because “us[ing] cybersecurity systems” is incredibly vague, it could be interpreted to mean monitoring email, filtering content, or even blocking access to sites. A company acting on a “cybersecurity threat” would be able to bypass all existing laws, including laws prohibiting telcos from routinely monitoring communications, so long as it acted in “good faith.”

The broad language around what constitutes a cybersecurity threat leaves the door wide open for abuse. For example, the bill defines “cyber threat intelligence” and “cybersecurity purpose” to include “theft or misappropriation of private or government information, intellectual property, or personally identifiable information.”

Yes, intellectual property. It’s a little piece of SOPA wrapped up in a bill that’s supposedly designed to facilitate detection of and defense against cybersecurity threats. The language is so vague that an ISP could use it to monitor communications of subscribers for potential infringement of intellectual property. An ISP could even interpret this bill as allowing them to block accounts believed to be infringing, block access to websites like The Pirate Bay believed to carry infringing content, or take other measures provided they claimed it was motivated by cybersecurity concerns.

The language of “theft or misappropriation of private or government information” is equally concerning. Regardless of the intent of this language, the end result is that the government and Internet companies could use this language to block sites like WikiLeaks and NewYorkTimes.com, both of which have published classified information. Online publishers like WikiLeaks are currently afforded protection under the First Amendment; receiving and publishing classified documents from a whistleblower is a common journalistic practice. While there’s uncertainty about whether the Espionage Act could be brought to bear against WikiLeaks, it is difficult to imagine a situation where the Espionage Act would apply to WikiLeaks without equally applying to the New York Times, the Washington Post, and in fact everyone who reads about the cablegate releases. But under Rogers' cybersecurity proposal, the government would have new, powerful tools to go after WikiLeaks. By claiming that WikiLeaks constituted “cyber threat intelligence” (aka “theft or misappropriation of private or government information”), the government may be empowering itself and other companies to monitor and block the site. This means that the previous tactics used to silence WikiLeaks—including a financial blockade and shutting down their accounts with online service providers—could be supplemented by very direct means. The government could proclaim that WikiLeaks constitutes a cybersecurity threat and have new, broad powers to filter and block communication with the journalistic website.

Congress is intent on passing cybersecurity legislation this year, and there are multiple proposals in the House and the Senate under debate. But none is as poorly drafted and dangerously vague as the Rogers bill. We need to stop this bill in its tracks, before it can advance in the House and before the authors can negotiate to place this overbroad language into other cybersecurity proposals.

Internet security is a serious problem that needs to be addressed. But we don’t need to sacrifice our civil liberties to do so. Help us safeguard the web by contacting Congress today.

1. Even though “self-protected entities” are discussed in a section of the bill regarding the private sector, the bill actually defines a “self-protected entity” as “an entity, other than an individual, that provides goods or services for cybersecurity purposes to itself.” This language could well be interpreted to encompass the government.

Related Updates

In the wake of Charlottesville, both GoDaddy and Google have refused to manage the domain registration for the Daily Stormer, a neo-Nazi website that, in the words of the Southern Poverty Law Center, is “dedicated to spreading anti-Semitism, neo-Nazism, and white nationalism.” Subsequently Cloudflare, whose service...

Almost all posts on social media include depictions of real people. And most social media websites include advertising. Does this combination mean that nearly everyone featured on social media can sue for infringement of their right of publicity? That would be disruptive. Fortunately, a new ruling [PDF] by...

There’s a new bill in Congress that would threaten your right to free expression online. If that weren’t enough, it could also put small Internet businesses in danger of catastrophic litigation. Don’t let its name fool you: the Stop Enabling Sex Traffickers Act (SESTA, S. 1693) wouldn’t help punish...

This weekend Apple took a dispiriting step in the policing of its Chinese mainland App store: the company removed several Virtual Private Network (VPN) applications that allowed users to circumvent the China’s extensive internet censorship apparatus. In effect, the company has once again aided the Chinese government in...

In recent months, social media platforms—under pressure from a number of governments—have adopted new policies and practices to remove content that promotes terrorism. As the Guardian reported, these policies are typically carried out by low-paid contractors (or, in the case of YouTube, volunteers) and with little to no transparency...

The First Amendment protects our right to use electronic devices to record on-duty police officers, according to a new ruling by the U.S. Court of Appeals for the Third Circuit in Fields v. Philadelphia. This right extends to anyone with a recording device, journalists and members of the...

Can the government stop you from finding out it’s been looking through your private Facebook content as part of a “secret” investigation that’s not actually secret? That’s the question raised by an alarming case pending in the Washington D.C. Court of Appeals. Facebook has described the investigation as "known to...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

A country has the right to prevent the world’s Internet users from accessing information, Canada’s highest court ruled on Wednesday. In a decision that has troubling implications for free expression online, the Supreme Court of Canada upheld a company’s effort to force Google to de-list entire domains and websites...

EFF has just launched the Summer Security Camp, a two-week membership drive that challenges people everywhere to gather ‘round the online rights movement and prepare for the privacy and free speech challenges in their paths. Through the 4th of July, anyone can join EFF or renew as a...